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ABSTRACT 

“^The  deductive  approach  is  a  formal  program-construction  method  in  which  the  derivation 
of  a  program  from  a  given  specification  is  regarded  as  a  theorem- proving  task.  To  construct  a 
program  whose  output  satisfies  the  conditions  of  the  specification,  we  prove  a  theorem  stating  the 
existence  of  such  an  output.  The  proof  is  restricted  to  be  sufficiently  constructive  so  that  a  program 
computing  the  desired  output  can  be  extracted  directly  from  the  proof.  The  program  we  obtain 
is  applicative  and  may  consist  of  several  mutually  recursive  procedures.  The  proof  constitutes  a 
demonstration  of  the  correctness  of  this  program. 

-To  exhibit  the  full  power  of  the  deductive  approach,  we  apply  it  to  a  nontrivial  example  — 
the  synthesis  of  a  unification  algorithm.  Unification  is  the  process  of  finding  a  common  instance 
of  two  expressions.  Algorithms  to  perform  unification  have  been  central  to  many  theorem-proving 
systems  and  some  programming-language  processors. 


The  task  of  deriving  a  unification  algorithm  automatically  is  beyond  the  power  of  existing 
program-synthesis  systems.  In  this  paper,  we  use  the  deductive  approach  to  derive  an  algorithm 
from  a  simple,  high-level  specification  of  the  unification  task.  We  will  identify  some  of  the 
capabilities  required  of  a  th eorem-pr  ./ing  system  to  perform  this  derivation  automatically. 


This  paper  will  appear  in  Automatic  Program  Construction  (G.  Guiho,  ed.),  NATO  Scientific 
Series,  D.  Reidel  Pub.  Co.,  Dordrecht,  Holland,  1981. 

The  research  was  supported  in  part  by  the  National  Science  Foundation  under  Grants  MCS- 
78-02591  and  MCS-79-09495,  in  part  by  the  Office  of  Naval  Research  under  Contracts  N00014-75- 
C-0816  and  N00014-76-C-0687,  and  in  part  by  the  Air  Force  Office  of  Scientific  Research  under 
Contract  AFOSR-81-0014. 


INTRODUCTION 


In  an  earlier  paper  (Manna  and  Waldinger  [1980])  we  describe  a  deductive  approach  to  program 
synthesis.  In  this  approach,  program  synthesis  is  regarded  as  a  theorem- proving  task:  Given  a  high- 
level  specification  of  the  purpose  of  the  program,  we  prove  a  theorem  that  establishes  the  existence 
of  an  output  satisfying  this  specification.  The  proof  is  restricted  to  be  sufficiently  constructive  so 
that  the  desired  program  can  be  extracted  directly.  This  approach  is  the  direct  descendant  of  the 
technique  applied,  e.g.,  by  Green  [1969]  and  by  Waldinger  and  Lee  [1969]. 

In  the  earlier  paper,  we  only  applied  the  technique  to  very  simple  examples.  In  this  paper,  we 
consider  a  somewhat  more  difficult  task:  the  synthesis  of  a  unification  algorithm. 

Unification  is  the  process  of  finding  a  common  instance  of  two  expressions.  If  such  an  instance 
exists,  the  algorithm  is  to  produce  a  substitution  that  will  yield  that  instance  when  applied  to 
either  of  the  expressions.  If  no  common  instance  exists,  the  algorithm  is  to  produce  a  special 
symbol  indicating  this  situation.  The  first  unification  algorithm  appeared  in  Herbrand’s  [1930] 
thesis,  but  the  procedure  did  not  come  to  widespread  attention  until  it  was  rediscovered  by  Prawitz 
[1960]  and  employed  by  Robinson  [1965]  in  his  resolution  principle  for  automatic  theorem  proving. 
Since  then,  the  algorithm  has  been  used  not  only  for  resolution  theorem  proving  but  also  in  many 
nonresolution  theorem  provers  (see  Bledsoe  [1977])  and  some  programming-language  processors 
(e.g.,  PLANNER,  see  Hewitt  [1971]  or  PROLOG,  see  Warren  et  al.  [1977]  or  Colmeraucr  et  al. 
[1979]). 

Because  of  its  importance  in  theorem  proving  and  other  applications,  some  effort  has  gone 
into  the  design  of  efficient  unification  algorithms  (e.g.,  Martelli  and  Montanari  [1976];  Paterson 
and  Wegman  [1978])  and  the  extension  of  the  algorithm  to  more  complex  logical  theories  (e  g., 
higher-order  logic,  Iluet  [1975];  associative  and  commutative  theories,  Stickcl  [1975],  Livesay  et  al. 
[1979]). 

The  unification  algorithm  was  the  subject  of  partial  verification  efforts  (e.g.,  Waldinger  and 
Levitt  [1974])  and  an  example  of  automatic  debugging  (von  Henke  and  Luckham  [1974]).  An  early 
attempt  to  synthesize  such  a  program  appeared  in  Manna  and  Waldinger  [1975].  Nevertheless,  no 
complete  automatic  synthesis,  or  even  verification,  of  the  algorithm  has  been  completed  by  any 
system. 

The  derivation  presented  in  this  paper  depends  on  the  formulation  of  a  theory  of  expressions 
and  substitutions.  Intuitive  observations  about  these  objects  can  then  be  expressed  and  proved 
within  the  theory.  In  this  paper,  we  set  down,  without  proof,  those  results  necessary  for  the 
derivation.  A  full  presentation  of  the  theory  of  expressions  and  substitutions  is  included  in  our 
forthcoming  book  (Manna  and  Waldinger  [1982]). 

The  proof  on  which  the  derivation  is  based  is  presented  in  full.  A  summary  of  those  aspects 
of  the  deductive  approach  necessary  to  understand  the  derivation  is  included.  Although  this  proof 
can  be  expressed  in  the  deductive  tableau  formalism  of  our  [1980]  paper,  it  is  given  here  informally. 
We  do  not  attempt  to  describe  strategies  under  which  the  proof  could  be  generated  automatically. 
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However,  afterwards  we  consider  what  capabilities  would  be  required  of  a  theorem-proving  system 
to  discover  such  a  proof. 


TIIE  DEDUCTIVE  APPROACH 

The  specification  of  a  program  allows  us  to  express  the  purpose  of  the  desired  program  without 
indicating  an  algorithm  by  which  that  purpose  is  to  be  achieved.  In  general,  we  are  considering 
the  synthesis  of  programs  whose  specifications  have  the  form 

/(a)  <=  find  z  such  that  R(a,z) 
where  P(a). 

Here,  a  denotes  the  input  of  the  desired  program  and  z  denotes  its  output.  The  input  condition 
P(a)  expresses  the  class  of  legal  inputs  to  which  the  program  is  expected  to  apply.  The  output 
condition  R(a,z)  describes  the  relation  the  output  z  is  intended  to  satisfy. 

For  example,  to  specify  a  program  to  compute  the  integer  square- root  of  a  nonnegative  integer 
n,  we  would  write 

sqrt(n)  <=  find  z  such  that 

integer(z)  and  z2  <  n  <  (z  - 1-  l)2 
where  integer(n)  and  0  <  n. 

A  specification  of  the  above  form  describes  an  applicative  program,  one  that  yields  an  output 
but  produces  no  side  effects.  To  derive  a  program  from  such  a  specification,  we  attempt  to  prove 
a  theorem  of  the  form 

(Va)(3a)[i/  P(a)  then  R(a,z)j. 

This  theorem  states  that,  for  every  input  a,  there  exists  an  output  z  satisfying  the  output  condi¬ 
tion,  provided  that  the  input  satisfies  the  input  condition.  The  proof  of  this  theorem  must  be 
constructive,  in  the  sense  that,  in  proving  the  existence  of  a  satisfactory  output  z,  it  must  tell  us 
how  to  find  such  an  output.  From  this  proof,  a  program  to  compute  z  can  be  extracted. 

WELL-FOUNDED  INDUCTION 

The  formation  of  repetitive  program  constructs  in  the  deductive  approach  depends  on  the 
application  of  the  principle  of  mathematical  induction.  The  induction  principle  we  use  is  the 
principle  of  “well-founded  induction,”  which  applies  to  a  wide  variety  of  mathematical  structures 
and  results  in  the  formation  of  a  recursive  procedure  in  the  program  being  constructed.  Before  we 
can  present  the  induction  principle,  we  must  introduce  the  notion  of  a  "well-founded  ordering.” 

Definition:  If  >  is  a  relation  over  a  set  S,  we  will  say  that  >-  satisfies  the  decreasing  sequence 
condition  if  there  are  no  infinite  decreasing  sequences  £1,12,2:3,  ...  of  elements  of  S;  i.e., 
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there  are  no  sequences  such  that 


xi  /*■  xa  >-  X3  >-  ...  . 

For  example,  the  ordinary  “greater- than”  relation  >~  over  the  nonnegative  integers  satisfies 
the  decreasing  sequence  condition.  The  same  relation  over  all  the  integers  does  not. 


Definition :  If  y  is  a  relation  over  a  set  S,  we  will  say  that  >-  is  a  well-founded  ordering  and  5  is 
a  well-founded  set  under  this  ordering  if 

•  y  is  transitive  and 


•  >-  satisfies  the  decreasing  sequence  condition. 

We  will  regard  y  -<  x  as  synonymous  with  1  >-  y. 

For  example,  the  following  are  all  well-founded  orderingB: 

•  The  >  relation  over  the  nonnegative  integers 

•  The  subset  relation  over  the  finite  sets 

•  The  subtree  relation  over  the  finite  trees. 


The  principle  of  well-founded  induction  may  be  expressed  as  follows: 


Let  >-  be  a  well-founded  ordering  over  a  set  S.  Then 
to  prove  that  a  statement  Q(a)  is  true  for  all  elements  a  of  S, 
consider  an  arbitrary  element  a  of  S, 
assume  the  induction  hypothesis 
(Vz)[t/  x  -<  a  then  Q{x)\ 
and  prove  that  the  conclusion 
<?{«) 

then  follows. 


When  we  are  applying  the  well-founded  induction  principle  in  a  program-synthesis  context, 
we  may  use  the  following  special  form: 

Let  >-  be  a  well-founded  ordering  over  a  set  S.  To  construct  a  program  /  satisfying  the 
specification 

/(a)  find  z  such  that  f?(a,  z ) 
where  P(a), 


Jk 
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where  the  inputs  a  belong  to  a  well-founded  set,  consider  an  arbitrary  input  a,  assume  the 
induction  hypothesis 

if  x  -<  a 
(Vx)  then  if  P(x) 

then  R(x,  f(x)) 

and  then  prove  the  conclusion 

(3  z)R[a,z). 

In  other  words,  we  consider  an  arbitrary  input  a,  and  find  an  output  z  satisfying  the  given 
specification,  under  the  following  induction  hypothesis:  the  program  /(x)  we  are  trying  to  construct 
will  satisfy  the  specification  for  all  inputs  x  that  are  less  than  a  in  the  well-founded  ordering. 

Application  of  the  induction  hypothesis  during  a  proof  will  cause  a  recursive  call  f(x)  to  appear 
in  the  program  being  constructed.  The  condition  P{x)  will  ensure  that  the  input  x  of  the  recursive 
call  will  be  a  legal  input;  i.e.,  it  will  satisfy  the  given  input  condition.  The  condition  x  -<  a  will 
ensure  that  the  new  recursive  call  cannot  result  in  an  infinite  computation. 

^-EXPRESSIONS 

In  this  section,  we  define  a  class  of  ^-expressions  that  will  contain  not  only  the  expressions  but 
also  nested  lists  of  expressions  formed  from  a  given  alphabet. 

•  the  alphabet 

Suppose  that  S  is  an  alphabet  of  symbols,  consisting  of  three  disjoint  sets: 

C :  the  constants 
X:  the  variables,  and 
F:  the  function  symbols. 

Together,  the  constants  and  variables  will  be  referred  to  as  the  atoms  of  S.  With  each  function 
symbol  of  F  is  associated  a  unique  positive  integer,  called  its  arity,  indicating  how  many  arguments 
the  function  takes. 

•  generation  rules 

The  expressions  of  S  are  constructed  by  repeated  application  of  the  following  generation  rules : 

Any  constant  of  C  is  an  expression; 

Any  variable  of  X  is  an  expression; 


If  /  is  a  function  symbol  (of  arity  n) 

and  /  is  a  list  of  expressions  (of  length  n) 
then  the  result  of  applying  /  to  the  expressions  in  /, 
denoted  by  /  •  /,  is  an  expression. 

Note  that  if  Z  =  [/i,/a,  . ..,Zn]  then  /•/  is  the  expression  informally  denoted  by  /(/j,/j,  .  ..,/„). 

The  /-expressions  of  S  are  constructed  by  repeated  application  of  the  following  generation 
rules: 

The  empty  list  ( ]  is  an  /-expression; 

Any  expression  is  an  /-expression; 

If  s  is  an  /-expression 

and  m  is  a  list  of  /-expressions 
then  the  result  of  inserting  s  before  the  first  element  of  m, 
denoted  by  so  m,  is  an  /-expression. 

Note  that  if  m  =  (mi,  m2,  . .  ■  ,  m„]  then  s  o  m  is  the  list  of  /-expressions  informally  denoted 
by  [s,mi,m2l  . . .  ,mn|. 

•  uniqueness  properties 

We  assume  that  each  /-expression  can  only  be  produced  in  a  unique  way  from  the  above  rules. 
This  assumption  is  expressed  by  the  following  properties: 

c^i 
C  7^  /•/ 

z  7^  /•/ 

,//•/  =  /'•/' 

then  f  —  f  and  1  =  1' 

*  +  \ ) 

**ll 

zjLsom 

/•**  11 

/•/^«om 
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[]^  jom 

if  s  o  m  =  s'  o  m! 
then  s  =  s'  and  m  =  m! 

for  all  constants  c,  variables  x,  function  symbols  /  and  f  (of  arity  n  and  n' ,  respectively),  lists 
of  expressions  l  and  {'  (of  length  n  and  n',  respectively),  {-expressions  s  and  s',  and  lists  of 
^-expressions  m  and  m'. 

•  the  occurs-in  relation 

We  will  say  that  an  {-expression  s  occurs  in  an  {-expression  s',  denoted  by 
s  X  s'  or  s'  >;  s, 

if  s  is  a  subexpression  of  s';  we  will  say  that  s  occurs  properly  in  s',  denoted  by 
s  -<  s'  or  s'  >-  s 

if  s  occurs  in  s'  but  is  distinct  from  s'.  Wc  will  abbreviate 
not  s  -4  s'  as  s', 

not  s  ^  s'  as  s  ^  s', 

and  so  forth.  Formally,  these  relations  are  defined  by  the  following  properties: 


s  A  s'  if  and  only  if  s  s'  or  s  =  s'  (partiality) 

s  a  (atom) 

s/[|  (empty) 

s  -<(/*/)  if  and  only  if  s  ^  {  (application) 

s-i(s'om)  if  and  only  if  s  ^  s'  or  s^m  (insertion) 


for  all  atoms  a,  function  symbols  /  (of  arity  n),  lists  of  expressions  {  (of  length  n),  {-expressions  s 
and  s',  and  lists  of  {-expressions  m. 

We  assume  as  part  of  its  definition  that  the  occurs-in  relation  is  well-founded.  This  is  a  way 
of  expressing  formally  that  all  the  {-expressions  are  finite.  It  follows  that  the  relation  is  irreflexive, 

3  /  a  ( irreflexivity ) 

for  all  {-expressions  s. 

The  definition  implies  the  following  component  properties  of 

{-</•{ 
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s  s  o  m 


m  -<  s  o  m 


for  every  function  symbol  /  (of  arity  n),  list  of  expressions  /  (of  length  n),  /-expression  s,  and  list 
of  /-expressions  m. 

•  the  vars  function 


The  value  of  vars(s)  is  the  set  of  variables  that  occur 
define 

in  the  /-expression  s.  Formally,  we 

oars(c)  =  {} 

( constant ) 

vars(x)  —  {x} 

(variable) 

vars((])  =  {} 

(empty) 

vars[f  •  /)  =  oars(/) 

(application) 

nars(s  o  m)  =  vars(s)  U  vars(m) 

(insertion) 

for  all  constants  c,  variables  x,  function  symbols  /  (of  arity  n),  lists  of  expressions  /  (of  length  n), 
/-expressions  s,  and  lists  of  /-expressions  m. 


Now  let  us  state  a  proposition  relating  the  occurs-in  relation  with  the  vars  function. 
Proposition  (variables):  For  every  variable  y  and  /-expression  s, 
y  €  uars(s)  if  and  only  if  y  ^  s. 

In  other  words,  the  elements  of  uars(s)  are  indeed  those  variables  that  occur  in  s.  The  proof  is  by 
well-founded  induction  over  the  occurs-in  relation  itself. 

SUBSTITUTIONS 

Substitution  is  the  operation  of  replacing  certain  variables  of  an  /-expression  by  other  expres¬ 
sions.  We  begin  by  giving  an  informal  exposition  of  substitutions;  subsequently,  we  give  a  formal 
treatment  of  the  same  notion. 

Informally,  we  will  represent  a  substitution  0  as  a  set  of  replacements 
$  =  {xi  ei,  x%  ■*-  ej,  e„}, 

where  x\,  xj,  . . . ,  in  are  distinct  variables  in  X  and  e\,  e%,  . . . ,  en  are  expressions  such  that 
e,  Xi.  Thus,  replacements  of  the  form  x  «-  x  are  excluded  from  substitutions,  and  substitutions 
of  the  form  {x  *-  e,  x  «-  e'}  are  not  allowed. 
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If  x,  «—  et  is  a  replacement  in  the  substitution  9,  we  will  refer  to  x,  as  the  variable  and  e,  as 
the  expression  of  the  replacement.  We  will  denote  by 

dom(9) :  the  set  of  variables  {xi,x2,  . . .  ,  x»} 
affected  by  the  substitution  6, 

called  the  domain  of  9,  and 

range(0) :  the  set  of  variables  that  occur  in  e\t  e2,  —  ,  or  en, 
called  the  range  of  9. 

The  result  s+0  of  applying  such  a  substitution  9  to  an  /-expression  s  is  obtained  by  simul¬ 
taneously  replacing  every  instance  of  the  variables  X\,  x2,  and  x„  by  the  corresponding 

expressions  e\,  e2,  ....  and  en. 

For  example,  if  6  is  the  substitution 

{*  «-  fly),  9  9{<*,z)}, 


then 


dom(9)  =  {x,y}, 
range(9)  —  {y,z}; 

furthermore,  if  s  is  the  /-expression 
(x,  [  g(a,  x),  y  ] ), 

then  the  result  s  0  of  applying  0  to  s  is 

[/(y),  [y(a./( y)),  «)  ]  I- 

Note  that  the  replacements  arc  performed  simultaneously:  thus,  the  variable  y  in  f{y)  above  was 
not  replaced  by  <?(a,  z)  even  though  9  contains  a  replacement  y  <—  y(a,  z). 

Let  us  be  more  precise:  suppose  that  S  is  an  alphabet  consisting  of  the  constants  C,  the 
variables  X ,  and  the  function  symbols  F,  as  before. 

•  generation  rules 

The  substitutions  are  constructed  by  repeated  application  of  the  following  generation  rules. 
We  define  the  domain  and  range  sets  for  each  substitution  at  the  same  time. 

•  The  empty  substitution  {  }  is  a  substitution, 
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•  dom{{  })  =  {}, 

•  range({  })  —  {}; 


If  9  is  a  substitution, 

i  is  a  variable  not  in  dom(0), 
and  e  is  an  expression  distinct  from  x, 
then 

•  the  result  of  adding  the  replacement  x  *—  e  to  the  substitution  8, 
denoted  by  (x  e)  o  8,  is  also  a  substitution, 

•  dom((x «—  e)  o  $)  =  {x}udom(0), 

•  range([x  <—  e)  o  8)  =  vars(e)  U  range(0). 

Note  that  if  8  —  (x\  *—  t\ ,  x2  *—  *2,  •  •  •  .  Zn  «—  en}  then  (x  *-  e)  o  8  is  the  substitution  informally 
denoted  by  {x  *-  e,xi  <-  eu  ...  ,xn*~  en}.  Furthermore, 

dom((x  *-  e)o0)  =  {z,zt,  . ..,  xn } 

range((x  *—  e)  o  =  vars[e)  U  vars(e i)  U  •  •  ■  U  vars{en). 

We  call  o  the  addition  function  for  substitutions. 

Substitutions  do  not  have  uniqueness  properties:  we  may  regard  two  substitutions  as  equal 
even  though  they  have  been  constructed  in  different  ways.  We  will  say  that  two  substitutions  are 
equal  if  they  have  the  same  effect  when  applied  to  an  arbitrary  ^-expression.  But  first  let  us  define 
more  precisely  what  we  mean  by  applying  a  substitution  to  an  ^-expression. 

•  the  apply  function 

If  8  is  a  substitution,  and  s  is  an  f-expression,  then  the  apply  function  s  +  8  is  defined  to  satisfy 
the  following  properties: 


<"•{}  =  * 
c  +  8  =  c 

**((*«“  e)o9)=  e 

y-*{[x  «-  e)o0)=  y<8  if  i  ^  y 


( empty  substitution) 
( constant ) 
(same  variable) 
(distinct  variable) 


iw  =  n 

(/•*h*= /•(*«*) 


(empty  list) 
(application) 


(s  o  m)  ■*$  =  (s  -*9)  o  (m  +  0)  (insertion) 

for  all  substitutions  9,  constants  c,  variables  x  and  y,  expressions  c,  function  symbols  /  (of  arity 
n),  lists  of  expressions  l  (of  length  n),  ^-expressions  s,  and  lists  of  ^-expressions  m. 
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Note  that,  in  the  same  variable  and  distinct  variable  properties,  we  do  not  require  that  z  and 
e  be  distinct  or  that  z  (jf  dom(6)  even  though  these  are  conditions  on  the  generation  rules  for 
substitutions.  This  means  that  (z  «—  e)  o  0  is  defined  in  these  cases. 

Let  us  now  introduce  a  simple  property  relating  ^-expressions  and  substitutions. 

Proposition  (monotonicity):  For  all  ^-expressions  s  and  s'  and  substitutions  0, 

(a)  if  s  -<  s'  then  s  •<  9  -4  s'  •*  9, 

(b)  if  s  •<.  s'  then  s  •*  9  ^  s'  ■*  9. 


In  other  words,  the  subexpression  and  proper  subexpression  relations  are  maintained  after  the 
application  of  a  substitution. 

•  agreement  and  equality 

We  will  say  that  two  substitutions  9 1  and  02  agree  on  an  ^-expression  s  if 
s-*^  =  S-«02- 


Now  we  can  define  the  notion  of  equality  for  substitutions.  We  will  say  that  two  substitutions 
9 1  and  9 2  are  equal,  denoted  by  9 1  =  02,  if  they  agree  on  all  f-expressions;  i.e., 


9\  =  9  2 

if  and  only  if 

(?i  =  s-<  02  for  all  ^-expressions  s. 


We  assume  that  the  only  substitutions  are  those  that  have  been  constructed  by  a  finite 
number  of  applications  of  the  generation  rules;  it  follows  that  any  substitution  0  is  a  finite  set 
of  replacements  and  that  the  sets  dom(9)  and  range(9)  are  finite  sets  of  variables.  This  finiteness 
can  be  expressed  formally  by  an  appropriate  induction  principle  over  the  substitutions. 


•  characterization  of  domain  and  range 

Let  us  state  two  propositions  that  characterize  the  domain  and  range  of  a  substitution. 
Proposition  (domain):  For  every  substitution  0  and  variable  x, 
x  E  dom(9)  if  and  only  if  x  +  0  x. 


That  is,  the  domain  is  the  set  of  all  variables  affected  by  the  substitution. 


Proposition  ( range f.  For  every  substitution  0  and  variable  y, 


y  €  range(8)  if  and  only  if 


there  exists  a  variable  x  such  that 
x  6  dom(O)  and  y  £  vars[x  +  8 ) 


That  is,  the  range  is  the  set  of  all  variables  that  may  be  introduced  by  a  substitution. 
Let  us  now  introduce  the  notion  of  the  composition  of  two  substitutions. 


COMPOSITION  OF  SUBSTITUTION 

We  define  the  composition  Oo  6'  of  two  substitutions  6  and  8'  to  be  the  substitution  satisfying 
the  following  property: 

s<*(0  o  0')  =  (s  +  0)+0' 

for  all  f-expressions  s.  In  other  words,  applying  the  composition  6  o  O'  to  an  {-expression  is  the 
same  as  applying  0  first,  and  then  applying  O'  to  the  result. 

For  example,  if 

0={x+~  f( y)} 

0'  =  { y  ?(a.  z).  X  *-  b) 


s  =  h[x,y,z), 


s<0  =  h(f(y),  y,  z) 


s  <«  [0  O  O')  =  (s  •«  0)  <  O'  =  h(f(g(a,  x)),  g(a,  x),  z). 


It  follows  from  the  definition  that  composition  has  the  following  properties: 


0O{}  =  8 
{}0  0  =  0 

(01  O  0j)  O  03  =  0j  O  (0j  O  0s) 


(right  empty) 
(left  empty) 
(associativity) 


for  any  substitutions  0,  0j,  02,  and  O3.  Because  O  is  associative,  we  may  write  expressions  of  form 
(0i  O  02)  O  03  and  0i  O  (02  O  O3)  as  0t  O  02  O  03  without  fear  of  ambiguity. 


SYNTACTIC  CATEGORIES 


We  will  regard  constants,  variables,  expressions,  and  lists  as  being  of  distinct  “syntactic 
categories.” 

Definition:  Let  S  be  an  arbitrary  alphabet.  Then  the  syntactic  categories  of  the  /-expressions  of 
5  are  the  following  five  sets: 

•  the  set  C  of  constants, 

•  the  set  X  of  variables, 

•  the  set  consisting  of  the  empty  list  [|, 

•  the  set  of  functional  expressions  of  form  /  •  /, 

where  /  is  a  function  symbol  (of  arity  n) 
and  /  is  a  list  of  expressions  (of  length  n). 

•  the  set  of  nonempty  lists  of  form  t  o  m, 

where  t  is  an  /-expression  and  m  is  a  list  of  /-expressions. 


By  the  uniqueness  properties  of  /-expressions,  every  /-expression  belongs  to  precisely  one 
syntactic  category.  The  power  of  a  substitution  to  change  the  syntactic  category  of  an  /-expression 
is  severely  limited  by  the  following  observation: 

Proposition  ( syntactic  category J:  For  any  substitution  9  and  /-expression  s, 

(a)  if  s  is  not  a  variable 

then  s  and  s  +  8  are  in  the  same  syntactic  category. 

(b)  if  e  is  an  expression 

then  e-*8  is  an  expression. 


Note  that  it  is  not  necessarily  true  that,  if  s  is  a  variable,  then  s  -*8  is  also  a  variable;  it  may 
be  a  constant  or  a  functional  expression.  However,  the  converse  is  true: 

Corollary:  For  any  substitution  9  and  /-expression  s, 

if  s  0  is  a  variable 
then  s  is  also  a  variable. 
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THE  AGREEMENT  PROPOSITION  AND  ITS  CONSEQUENCES 


The  following  proposition  has  many  useful  consequences: 

Proposition  (agreement):  For  all  substitutions  9  and  6'  and  /-expressions  s,  we  have 

s  *  0  =  s<9'. 
if  and  only  if 

for  every  x,  if  x  £  vars(s)  then  x  9  =  x  +  O'. 

In  other  words,  two  substitutions  agree  on  an  /-expression  precisely  when  they  agree  on  all  the 
variables  of  the  /-expression. 

An  immediate  consequence  of  this  proposition  tells  what  happens  when  all  the  variables  of  an 
/-expression  are  unchanged  by  a  substitution: 

Corollary  ( invariance ):  For  every  substitution  9  and  /-expression  s, 

s  +9  =  8 

if  and  only  if 
vars(s)  H  dom(9)  =  {}. 

In  other  words,  a  substitution  has  no  effect  on  an  /-expression  precisely  when  no  variable  in  the 
domain  of  the  substitution  actually  occurs  in  the  /-expression.  The  proof  depends  on  taking  9'  to 
be  the  empty  substitution  {}  in  the  Agreement  Proposition. 

Corollary  (replacement  invariance ):  For  every  /-expression  s,  expression  e,  and  variable  x, 

if  x  $ vars(s) 
then  s  +  {x  <—  e}  =  s. 

In  other  words,  applying  a  single  replacement  to  an  /-expression  has  no  effect  if  the  variable  of  the 
replacement  does  not  occur  in  the  /-expression. 

Another  consequence  of  the  Agreement  Proposition  gives  a  useful  characterization  of  the 
equality  between  substitutions.  We  have  defined  two  substitutions  to  be  equal  if  they  agree  on 
all  /-expressions.  In  fact  it  suffices  to  show  that  they  agree  on  all  variables: 

Proposition  (equality):  For  all  substitutions  9  and  8\  we  have 


if  and  only  if 


for  every  variable  x,  x  +  0  =  x  ■+()'. 

According  to  this  proposition,  to  prove  equality  between  substitutions  it  suffices  to  show  that 
they  agree  on  all  variables.  In  fact,  it  suffices  to  consider  only  variables  in  their  domains; 

Corollary  (equality):  For  all  substitutions  9  and  6',  we  have 
for  every  variable  x, 

if  i  6  dom(0)  U  dom{6')  if  and  only  if  6  =  9' . 
then  x  ■*  9  =  x  <  6' 

The  following  proposition  relates  the  addition  and  composition  functions: 

Proposition  (addition- composition):  For  every  substitution  0,  variable  x,  and  expression  e, 

(x  <-  e  +  O)o0  =  (x  +-e)oe. 

The  proof  relics  on  the  Equality  Proposition. 

•  the  subtraction  function 

We  denote  by  9  —  x  the  substitution  that  has  no  effect  on  the  variable  x,  but  that  agrees  with 
0  on  alt  other  variables.  Formally,  we  define  9  —  x  by  the  following  properties: 

x«(0  — x)  =  x 

t i+[B  ~  x)  =  y*9  if  x^y 

for  all  substitutions  9  and  variables  x  and  y.  It  follows  (by  the  Domain  Proposition)  that 
x  dom(9  —  x) 

for  all  substitutions  6  and  variables  x  and  y. 

Proposition  (subtraction):  For  any  variable  x,  expression  e,  and  substitution  9,  where  x  ,i.e., 
x  $ vars(e),  we  have 

e  +  (9  —  x)  =  e*0. 

The  following  proposition  enables  us  to  break  down  a  substitution  into  its  component  replace¬ 
ments: 

Proposition  (decomposition):  For  every  substitution  6  and  variable  x, 


9  =  (x  «-  x  <  9)  o  [0  —  x). 
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SET  THEORETIC  PROPERTIES  OF  SUBSTITUTIONS 


In  this  section,  wc  give  some  properties  that  relate  the  domain  and  range  of  a  substitution 
with  the  variables  of  the  /-expressions. 

Proposition  (variable  elimination):  For  any  /-expression  s,  substitution  6,  and  variable  y, 

if  y  €  dom(0)  and  y  range(ff) 
then  y  ^ uars(s  <  0). 


Thus,  if  a  variable  occurs  in  the  domain  of  a  substitution  but  not  in  its  range,  then  the  substitution 
will  remove  that  variable  from  any  /-expression  in  which  it  occurs. 

Proposition  (variable  introduction ):  For  any  /-expression  s,  substitution  0,  and  variable  y, 
if  y  £  vars(s  +  0) 

then  y  £  range.{9)  or  y  £  vars(s), 


t.e., 


vars(s*6 )  C  range[9)  U  vars(s). 

In  other  words,  if  a  variable  occurs  in  an  /-expression  after  a  substitution,  then  it  was  introduced 
by  the  substitution  or  it  occurred  in  the  /-expression  originally. 


UNIFIERS 


Suppose  that  s  and  s'  are  /-expressions  and  6  is  a  substitution  of  some  alphabet  5  of  constants, 
variables,  and  function  symbols.  We  will  say  that  9  is  a  unifier  of  s  and  s'  if 

s<9  =  s'  +  9. 


Example:  If 

s  =  g{x,z) 


and 


s'  =  g{y,  f(y)) 

then  the  substitution 

6  =  {x  4-  y,  z  <-  /(y)} 
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is  a  unifier,  because 


s  +  6  =  s'-e  =  g(y,f[y)). 

Note  that  6  is  not  the  only  unifier  of  s  and  s';  e.g., 

X  =  {x  <-  b,  y  «-  b,  z  «-  /(6)} 
is  a  unifier,  because 

s  •«  X  =  s'  —  g(b,  f(b)); 

also, 

P  =  {y  —  sr  z  *-  f(x)} 
is  a  unifier,  because, 

s  +  p=  s'+p  =  g(x,f{x)).  | 

Not  all  pairs  of  ^-expressions  have  a  unifier.  For  example,  there  is  no  unifier  for 
a  =  g[a,  b) 

and 

s'  =  g( x,  i). 

For,  the  result  of  applying  any  substitution  9  to  g(a,b)  will  be  the  expression 
g{a,b) 

itself,  in  which  the  arguments  are  distinct.  On  the  other  hand,  the  result  of  applying  0  to  g(x,x) 
will  be  an  expression  of  form 

q(e,e), 

in  which  the  arguments  are  identical.  These  two  results  can  never  be  the  same. 

Two  ^-expressions  will  be  said  to  be  unifiable  if  they  have  (at  least  one)  unifier.  Thus,  g{x,z) 
and  g(y,f{y))  are  unifiable,  but  g{a,b)  and  g[x,  x)  are  not. 

The  following  propositions  characterize  the  unifiers  for  different  categories  of  f-expressions. 

Proposition  (application  unifier):  For  any  function  symbol  /  (of  arity  n)  and  lists  t  and  t  (of 
length  n),  we  have 


X  is  a  unifier  of  /  •  l  and  /  •  l' 


if  and  only  if 
X  is  a  unifier  of  t  and  l'. 

Proposition  ( insertion  unifier):  For  any  ^-expressions  t  and  t'  and  lists  of  expressions  m  and  m', 

X  is  a  unifier  of  t  o  m  and  t'  o  m' 

if  and  only  if 

X  is  a  unifier  of  t  and  t' 
and 

X  is  a  unifier  of  m  and  m' . 


GENERALITY 

We  will  say  that  a  substitution  9  is  more  general  than  a  substitution  X,  denoted  by  9  XJ(nX 
or  X  ^gen  9  ,  if  there  exists  some  substitution  i p  such  that 

X  =  6  O  ip. 

In  this  case,  we  will  also  say  that  X  is  an  instance  of  9. 

Example: 

The  substitution 

9  =  {y  <-  b} 

is  more  general  than  the  substitution 
X  =  {x  4-  a,  y  <-  6}, 

i.e.,  6  >Lgcn  X,  because  (taking  ip  to  be  (z  «—  a}  in  the  definition) 

X  =  dO{n-a}. 

In  other  words,  X  is  an  instance  of  9.  | 

Note  that,  according  to  our  terminology,  a  substitution  is  always  more  general  than  itself,  i.e., 
9  >  gen  8  (reflexivity) 

for  every  substitution  8.  Also,  the  empty  substitution  is  more  general  than  any  substitution,  i.e., 
{)>  gen  9  (empty) 


for  every  substitution  9. 
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MOST-GENERAL  UNIFIERS 


We  have  observed  that  there  may  be  several  distinct  unifiers  for  a  given  pair  of  A  expressions. 
In  fact,  any  instance  of  a  unifier  is  also  a  unifier. 

Proposition  (instance  of  a  unifier):  For  all  substitutions  9  and  X  and  /-expressions  s  and  s', 

if  9  is  a  unifier  of  s  and  s' 
and  9  >gtn  X 

then  X  is  a  unifier  of  s  and  s'. 


Definition:  A  substitution  6  is  a  most-general  unifier  of  two  /-expressions  s  and  s'  if 

•  9  is  a  unifier  of  s  and  s';  i.e., 

s  +  9  —  s'  -*9, 

and 

•  9  is  more  general  than  any  other  unifier  of  s  and  s';  i.e., 

if  s  <4  X  =  s’  <  X 
then  9  >9en  X 
for  any  substitution  X. 

Combining  the  above  proposition  and  definition,  we  see  that  the  unifiers  of  two  /-expressions 
arc  precisely  the  instances  of  a  most-general  unifier. 

Corollary  (most-general  unifier):  For  all  substitutions  9  and  X  and  /-expressions  s  and  s', 

9  is  a  most  general  unifier  of  s  and  s' 
if  and  only  if 

’  X  is  a  unifier  of  s  and  sr 
if  and  only  if 

.  0  ^Zgen  ^ 


Example : 

We  have  seen  that  the  two  /-expressions 
s  =  g{x,z) 


and 


*'  =  g(y,  f(y)) 
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have  many  unifiers;  e.g., 


0  =  {z  *-  y,  z  <-  f(y)}, 

X  =  {x  «-  6,  y  6,  z  «—  /(6)},  and 
p  =  {y  <-  x,  z  «-  /(x)}. 

It  turns  out  that  0  is  a  most- general  unifier  of  s  and  s'.  In  particular,  0  is  more  general  than 
X  and  p,  because 

X  =  0  O  {y  *—  b} 

and 

The  unifier  X  is  not  most-general.  In  particular,  X  is  not  more  general  than  0;  i.e., 

0  \  O  ifr 

for  any  substitution  ip.  f  or  instance, 
x  +  6  —  y 

but  (by  the  definition  of  composition  and  the  constant  property  of  the  apply  function) 
x  +  (\Oip)  =  {x  +  \)  +  ip=  b  +  ip=  b  ^  y. 

Most-general  unifiers  are  not  unique;  for  example,  the  above  substitution  p  is  also  a  most- 
general  unifier  of  s  and  s'.  In  particular,  p  is  more  general  than  $  and  X,  because 

0  =  pO{x<-  y} 

and 

X  =  p  O  {x  «-  6}. 

The  following  proposition  concerns  the  unifiers  of  a  variable  and  an  expression: 

Proposition  (variable  unifier):  For  any  variable  x  and  expression  e  such  that  x  yi  e,  we  have 

{x  «-  e}  is  a  most-general  unifier  of  x  and  e. 
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We  include  the  proof  of  this  proposition,  because  it  is  not  straightforward,  and  because  it  may 
be  regarded  as  an  integral  part  of  the  synthesis  of  the  unification  algorithm. 

Proof: 

It  suffices  to  show  (by  the  Most-General  Unifier  Corollary)  that,  for  an  arbitrary  substitution 
X, 


X  is  a  unifier  of  x  and  e 
if  and  only  if 
(x  <  e}  ^Hgtn  X, 

i.e.  (by  the  definition  of  the  generality  relation  ygen)> 

x-*\  =  e  •«  X 
if  and  only  if 

X  =  {i<-  e}  O  X*  for  some  substitution  X*. 


On  the  one  hand,  if 

X  =  (x  «—  e}  O  X* 
for  some  substitution  X*,  then 

i^X  =  x-«({x  <-  e}  O  \*) 

=  (x<«{x  «-  e})*X* 

by  the  definition  of  composition 


=  e  -«  X* 

by  the  same-variable  property  of  the  apply  function, 


and 


e X  =  e«({x  <-  e}«*X*) 

=  (e«{x  —  e})*\* 

by  the  definition  of  composition 

=  e< \* 

by  the  Replacement  Invariance  Corollary,  because  x  vars(e). 


In  short, 


x*X  =  e*X. 
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On  the  other  hand,  suppose 


x-«X  =  e-*X. 


Then 


X  =  (i  x<X)o(X  —  x) 

by  the  Decomposition  Proposition 

=  (x«-e-*X)o(X —  x ) 

by  our  supposition  that  x-*X  =  e*X 

=  (x  <—  e  •«  (X  —  x))o(X  —  x) 

by  the  Subtraction  Proposition,  because  x  ^  e 

—  {x  «—  e}  0(X  —  x) 

by  the  Addition-Composition  Proposition. 


Therefore,  if  X*  is  taken  to  be  X  —  x,  we  have 
X  =  {x  «-  e}  o  X* 


as  we  had  intended. 

This  concludes  the  proof.  | 

IDEMPOTENT  SUBSTITUTIONS 


We  will  say  that  a  substitution  6  is  idempotent  if  it  has  the  special  property  that 
0  =  90  0. 


Example: 

The  substitution 


0  =  -  f{y)} 

is  idempotent,  because 

0O0  =  {x  «-  f{y)}  O  {x*-  /(y)} 

=  {*  *-  /(y)} 
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On  the  other  hand, 


I 

i. 

i 


<t>  =  {z  «-  /(*)> 

is  not  idempotent,  because 

<t>  O  <P  =  {x  —  /(*)}  o  {x  <-  /(x)} 

=  {z  «-  /(/(*))} 

7^  4>-  I 

The  property  of  idcmpotencc  is  characterized  by  the  following  proposition. 

Proposition  (idempotence):  A  substitution  is  idempotent  if  and  only  if  its  domain  and  range  are 
disjoint;  i.e., 

0  =  0  O  9  if  and  only  if  dom[9)  f|  range(6)  =  {}, 
for  all  substitutions  6. 

MOST-GENERAL  IDEMPOTENT  UNIFIERS 
Let  us  return  to  the  example  from  the  beginning  of  this  section. 

Example: 

We  have  seen  that  the  two  ^-expressions 
s  =  g(x,  z) 
and 

s'  =  g{y,f{y)) 

have  among  their  most-general  unifiers  the  substitutions 
6  —  {x  «-!/,*«-  f{y)} 

and 

p  =  {y  <-  x,  2  e-  f(X)}. 
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Both  of  these  substitutions  happen  to  be  idempotent,  i.e., 

0  =  0  O  9  and  p  —  pOp. 

However,  not  all  most-general  unifiers  are  idempotent. 

For  instance,  the  substitution 

<t>  =  {z  <-  z,  2  «-  f[z),  y  *-  z} 

also  turns  out  to  be  a  most-general  unifier  of  s  and  s'.  It  is  a  unifier,  because 
s-4>  =  g(z,f(z))  =  s'  «4>. 

It  is  more  general  than  the  most-general  unifier  6,  because 
9  =  4>  O  {z  *-  y}. 

But  4>  is  not  idempotent,  because 

a  6  {z,  y,  z }  =  dom{<j>) 

and 

z  £  {z}  —  rancjc(cj>y, 

therefore 

dom((f>)  n  rangc{<p)  —  {z}  ^  {}, 

and  hence  (by  the  Idempotence  Proposition)  <f>  is  not  idempotent.  | 

Most-general,  idempotent  unifiers  have  some  properties  we  will  find  useful. 

Proposition  (most-general,  idempotent  unifier):  If  9  is  a  unifier  of  two  f-expressions  s  and  s',  then 
d  is  most-general  and  idempotent 
if  and  only  if 

for  every  unifier  X  of  s  and  s',  X  =  9  O  X. 

Proposition  (domain  and  range):  If  6  is  a  most-general,  idempotent  unifier  of  two  f-expressions  s 
and  s',  then 

(a)  dom{9)  C  vars(s)  U  vars(s') 

(b)  range(9)  C  vars(s)  (J  tiars(s'). 

In  other  words,  the  only  variables  that  may  appear  in  0  are  those  that  occur  in  s  or  s'. 


THE  UNIFICATION  ALGORITHM 


A  unification  algorithm  is  a  procedure  for  finding  a  most-general,  idempotent  unifier  for  two 
/-expressions,  if  any  unifiers  exist  at  all.  Otherwise,  it  produces  a  special  symbol  nil,  which  is 
assumd  to  be  distinct  from  any  substitution. 

The  specification  for  the  unification  algorithm  may  be  expressed  as  follows: 

unify(s,  s')  <=  find  0  such  that 

0  is  a  most-general,  idempotent  unifier  of  s  and  s' 

9  ^  nil 
or 

s  and  s'  are  not  unifiable  and 
0  —  nil 

for  all  /-expressions  s  and  s' . 

According  to  the  deductive  approach,  then,  we  must  prove  the  existence  of  an  output  0 
satisfying  this  specification;  i.e.,  we  prove  the  following  theorem: 

'0  is  a  most-general,  idempotent  unifier  of  s  and  s'  and 
9  nil 
(V.s)(Vs')(30)  or 

s  and  s'  are  not  unifiable  and 
.9  —  nil 

In  other  words, 

s  •*  9  =  s'  ■*  9  and  [9  is  a  unifier  ) 

(VX)(i/  s-»X  =  s'^X  then  9  >;9en  X]  and  {0  is  most-general  ) 

9  —  9  O  9  and  [9  is  idempotent  ) 

(Vs)(Vs')(30)  0  nil 
or 

(VX)[s-*X  7^  s'  -<X)  and  (s  and  s'  are  not  unifiable  ) 

.0  =  nil 

This  theorem  will  also  establish  that  if  two  /-expressions  arc  unifiable,  they  have  a  most-general, 
idempotent  unifier. 

Before  we  give  the  proof  of  the  theorem,  let  us  look  ahead  at  the  program  we  will  ultimately 
extract  from  the  proof.  For  clarity,  we  present  the  program  as  a  set  of  properties  of  the  unify 
function;  actually  the  deductive  approach  will  produce  the  corresponding  LISP-like  applicative 
program.  Of  course,  these  properties  will  not  be  available  to  us  during  the  proof. 
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general 


For  ail  {-expressions  s  and  s': 

unify(s,  s')  =  {}  if  s  =  s'  (same) 

unify(s,  s')  =  nil  ( distinct ) 

if  s  and  s'  are  nonvariables  in  distinct  syntactic  categories. 

constant 

For  all  constants  c  and  c': 

unify(c,c')  =  nil  if  c  d  (distinct) 

variable 

For  all  variables  x,  expressions  e,  and  lists  of  {-expressions  m: 

unify(x,e)  =  (z  ♦-  e)  if  x  ^  e  (not  in,  left ) 

unify(e,  x)  —  [x  e}  (not-in,  right) 

if  x  e  and  e  is  not  a  variable 

unify( x,  e)  =  unify(e,  z)  =  nil  if  x  -<  e  (in) 

u  nify(x,m)  =  unify(m,x)  =  nil  (list) 

function 

For  all  function  symbols  /  and  /'  (of  arities  n  and  n',  respectively) 
and  all  lists  of  expressions  l  and  {'  (of  lengths  n  and  n',  respec¬ 
tively): 

unify(f  •  {,  /'  •  {')  =  unify(t,l')  if  /  =  /'  (same) 

unify(f  •  l,  /'  •  {')  =  nil  if  /  ^  /'  ( distinct ) 


•  list 


For  all  ^-expressions  t  and  t'  and  all  lists  of  ^-expressions  m  and  m'\ 

let  9hd  —  unify(t,  t') 
if  Ohd  =  nil 

then  unify(t  o  m,  t'  o  m')  —  nil  (no) 

else  let  0tj  =  unify(m+0hd,  m'  <6 ^d) 
if  Oa  —  nil 

then  unify(t  o  m,  t'  a  m')  =  nil  ( yes-no ) 

else  unify(t  o  m,  t'  o  m')  =  9h.d  O  &ti  ( yes-yes ) 

In  expressing  the  list  properties,  we  have  used  the  notation 

let  i  =  a 
P(x) 

as  an  abbreviation  for 

P(a). 

The  virtue  of  this  notation  is  that  if  P(x)  has  many  instances  of  x  and  if  a  is  a  lengthy  expression, 
we  would  be  required  to  rewrite  a  many  times  in  writing  P(a).  Thus,  without  this  abbreviation, 
the  final  equality  above  would  read 

unify(t  o  m,  t'  o  m')  =  umfy(t,  t')  O  unify(m  ■«  unijy(t,  t'),  m'  ■»  unify(t,  t')). 

In  the  list  properties,  we  have  given  separate  names  for  the  three  equalities,  for  easy  reference. 
The  no  property  corresponds  to  the  case  that  O^d  =  nil,  the  yes-no  property  to  the  case  that 
Qhd  7^  nil  and  9lt  =  nil,  and  the  yes-yes  property  to  the  case  that  O^d  7^  nil  and  0ti  7^  nil. 

Now  let  us  examine  a  proof  of  the  theorem,  to  sec  how  the  above  program  can  be  constructed. 

The  proof  is  by  well-founded  induction  over  an  ordering  ~<un  between  pairs  (s,  s')  of  l- 
expressions.  Rather  than  choose  this  ordering  in  advance,  we  will  proceed  with  the  proof,  under 
the  assumption  that  a  satisfactory  well-founded  ordering  can  be  defined.  Afterwards,  the  proof 
will  motivate  the  definition  of  an  appropriate  ordering 

For  two  arbitrary  ^-expressions  s  and  s',  we  want  to  find  an  output  0  that  will  satisfy  the 
specification  for  s  and  s'.  In  other  words,  we  want  to  prove  the  conclusion 

s-*0  =  s'  +  9  and 

(VX)[:/  s-*\  =  s'  +  \  then  9  X]  and 
9  =  0  o  9  and 
P(s,  s')  :  (30)  M  nil 

or 

(VX)(s  +  X  5^  s'  +  Xj  and 
.9  =  nil 
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We  will  be  happy  if  0  satisfies  either  of  the  two  disjuncts  in  this  desired  conclusion. 

As  our  induction  hypothesis,  we  assume  that  the  program  unify(r,  r ')  we  are  trying  to  construct 
will  satisfy  its  specification  for  all  inputs  r  and  r'  such  that  the  pair  (r,  r')  is  strictly  less  than  (a,  s') 
in  the  selected  ordering  -<un.  In  other  words,  we  assume 

»/  (r,  r')  <un  { s ,  s') 

>  ■*  unify(r,  r ')  —  r'  <  unif^r,  r')  and 
(VX)(t/  then  unify[r,  r')  >gtn  X]  and 

umfy(r,r')  =  unify(r,r')  O  unify(r,r')  and 
then  unify(r<  r')  ^  »*1 
or 

(VX)(r  X  5^  r'  *  Xj  and 
_unify{r,  r')  =  nil 

for  all  ^-expressions  r  and  r‘ . 

The  proof  distinguishes  between  several  cases,  corresponding  to  the  properties  of  the  apply 
function  •«.  At  the  end  of  each  case  we  will  give  the  property  of  the  unify  function  provided  by  the 
proof.  Together,  these  properties  constitute  the  final  program. 


GENERAL  CASES 

Case  (same):  s  =  s'. 

Then  any  substitution  0  is  a  unifier,  i.e., 
s-+9  =  s'  +9. 

•  To  find  a  unifier  that  is  most-general,  i.e.,  such  that 
(VX)[t/  s  <  \  =  s'  +  \  then  6  Xj, 

we  note  that  (in  this  case)  any  substitution  X  satisfies  the  antecedent  s*X  =  s'-«X.  Therefore,  0 
must  have  the  property  that 

0  gen  ^ 

for  any  substitution  X.  The  empty  property  of  the  most-general  relation  >;?en,  i.e., 

{}  >:9«n  X 

for  any  substitution  X,  suggests  that,  in  this  case,  to  satisfy  the  first  disjunct  of  the  desired 
conclusion  P(s,  s'),  9  can  be  taken  to  be  the  empty  substitution  {}. 


The  empty  substitution  {}  is  idem  potent,  i.e.t 


{}  =  {}<>{}, 

by  either  of  the  empty  properties  of  composition. 

•  We  ignore  the  final  requirement,  that  {}  7^  nil,  because  any  substitution  is  distinct  from  nil. 

Therefore,  the  empty  substitution  {}  is  a  most-general,  idempotent  unifier  of  s  and  s',  and 
satisfies  the  first  disjunct  of  the  desired  conclusion  P(s,s')  in  this  case. 

unify(s,  s')  =  {}  if  s  =  s'  ~| 


Case  (distinct):  s  and  s'  are  nonvariables  of  distinct  syntactic  categories. 

Then  we  can  show  that  s  and  s'  are  not  unifiable,  i.e. 

s  ■*  X  s'  +  X, 

for  any  substitution  X.  For,  let  X  be  an  arbitrary  substitution.  Recall  that,  because  s  and  s'  are 
not  variables,  we  have  (by  the  Syntactic  Categories  Proposition)  that 

s  «X  is  in  the  same  syntactic  category  as  s, 
s'-*X  is  in  the  same  syntactic  category  as  s', 

and  therefore 

s^X  and  s'-^X  are  in  distinct  syntactic  categories. 

Hence, 

s  ■*  X  5^  s'  X; 

i.e.,  s  and  s'  are  not  unifiable. 

It  follows  that,  in  this  case,  we  can  satisfy  the  second  disjunct  of  the  desired  conclusion  P[s,  s') 
by  taking  8  to  be  nil. 

unify(s,s')  =  nil 

if  s  and  s'  arc  nonvariables  of  distinct  syntactic  categories 


CONSTANT  CASE 


Case  (distinct):  s  and  s'  are  distinct  constants  c  and  c'  respectively. 

Then  we  can  show  that  c  and  c'  are  not  unifiable,  i.e., 
c •« X  c'  <\ 

for  any  substitution  X.  For,  let  X  be  an  arbitrary  substitution.  Then  (by  the  constant  property  of 
the  apply  function), 

c<\  =  c 


and 

c1  ■*  X  =  d . 

But,  since  c  c' , 

c-*\  ^  c’  -*X; 

i.e.,  c  and  c’  are  not  unifiable. 

It  follows  that,  in  this  case,  we  can  satisfy  the  second  disjunct  of  the  desired  conclusion  P(c,  c') 
by  taking  9  to  be  nil. 

unify{c,  c1)  =  ml  if  c  c’ 


VARIABLE  CASES 

Case  (nol-in,  left):  s  is  a  variable  i,  s'  is  an  expression  e,  and  i  ^fe. 

•  We  want  to  find  a  most-general  unifier  of  x  and  e.  However,  by  the  Variable  Unifier  Proposition, 
{x  *-  e}  is  a  most-general  unifier  of  x  and  e.  This  suggests  taking 

6  to  be  {x  *-  e}. 

•  We  also  want  9  =  {ar «-  e}  to  be  idempotent,  i.e.,  that 

{x  *-  e}  o{x  *-  e}  =  {x<-  e }. 

We  show  the  equivalent  condition  (by  the  Idempotence  Proposition)  that 
dom({x  «-  e})  D  range{{x  *-  e})  =  {}. 


We  have  (from  the  definition  of  the  domain  and  range), 


dom({x  «—  e})  =  {x}  and 
range({x  <—  e})  =  vars(e). 

Because  x  ^  e,  i.e.  (by  the  Variables  Proposition)  x  uars(e),  we  have 
dom({x  «—  e})  H  range({x  <—  e})  =  {x}  f)  vars(e)  =  {}, 
as  we  wanted  to  show. 

We  have  succeeded  in  showing  that  (x  *—  e}  is  a  most-general,  idempotent  unifier  in  this  case. 
unify[x,e)  =  {x  «—  e}  if  x  ^  e 


Case  (not-in,  right):  s  is  an  expression  e,  s'  is  a  variable  x,  not  x  ^  e,  and  e  is  not  a  variable. 

As  in  the  previous  case,  we  find  that  {x  <—  e}  is  a  most-general,  idernpotent  unifier  of  e  and  x. 
The  condition  that  the  first  argument  e  is  not  a  variable  is  not  required  in  the  proof;  it  is  included 
because  the  possibility  that  s  and  s'  are  both  variables  is  covered  by  the  previous  case. 


unify[e,  x)  =  (x  <-  e}  if  i  and  e  is  not  a  variable 


Case  (in):  s  is  a  variable  x,  s'  is  an  expression  e,  and  x  e. 

In  this  case,  we  can  show  that  x  and  e  are  not  unifiable.  For,  let  X  be  an  arbitrary  substitution. 
Because  x  -<  e,  we  have  (by  the  Monotonicity  Proposition) 

x-*\  e-*\ 

and  hence  (by  the  irrejlexivity  of  -4) 
x*X  7^  e-*X. 

Therefore,  x  and  e  are  not  unifiable  and  we  can  satisfy  the  second  disjunct  of  the  desired  conclusion 
P(x,  e )  by  taking  0  to  be  nil. 

The  symmetric  case,  in  which  s  is  an  expression  e,  s'  is  a  variable  x,  and  x  e,  is  treated 

similarly. 


unify(x,  e)  =  unify(e,  x)  =  nil  if  x  -4  e 
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Case  (list):  s  is  a  variable  x  and  s'  is  a  list  of  ^-expressions  m. 

In  this  case,  we  can  show  that  x  and  m  are  not  unifiable.  For,  let  X  be  an  arbitrary  substitution. 
Then  (by  the  Syntactic  Categories  Proposition),  x  •*  X  is  an  expression  but  m  *  X  is  a  list  of  t- 
expressions;  hence  (by  the  disjointness  of  the  syntactic  categories) 

x-«X  7^  m-«X; 

i.e.,  x  and  m  are  not  unifiable.  Therefore,  we  can  satisfy  the  second  disjunct  of  the  desired 
conclusion  P(x,  m)  by  taking  9  to  be  nil. 

The  symmetric  case,  in  which  s  is  a  list  of  ^-expressions  m  and  s'  is  a  variable  x,  is  treated 
similarly. 


unify(x,  m)  =  unify{m,  x)  =  nil 


FUNCTIONAL  CASES 


Case(same):  s  and  s'  are  functional  expressions  /  •  l  and  f  •  l',  respectively,  where  /  = 
Recall  that  (in  this  case)  we  arc  attempting  to  prove  the  conclusion 

P(f 

i.e.,  we  want  to  find  an  output  8  such  that 
(/•/)  ■*&  =  (/•£')  ■*$  and. 

(VX)[z/  (/  •  l)  <  X  =  (/  •  l')  ■«  X  then  8  ygen  X]  and 
0  —  8  O  8  and 

8  ^  nil 

or 

(VX)[(/W)*X  ^  (/•£') -.X]  and 

9  =  nil. 


This  reduces  (by  the  Application  Unifier  Proposition),  to  finding  an  output  6  such  that 

(*)  l  ■*  9  —  l'  <0  and 

(VX)[i/  /-«X  =  l'  +  \  then  9  >9tn  X]  and 
9  =  9  O  8  and 
9  7^  nil 
or 

(VX)(*«X  7^  f  «X|  and 


32 


$  =  nil. 


Recall  that  we  have  assumed  as  our  induction  hypothesis  that  (in  this  case) 

P[r,  r') :  if  ( r ,  r')  -<«„  {/•/,/•  l') 

V  ■*  unify(r,  r')  =  r'  ■*  unify(r,  r')  and 
(VX)(t/  r^X  =  r'*X  then  unify(r,r')  ygen  X]  and 
unify(r,  r')  =  unify(r,  r ')  o  unify(r,  r')  and 
then  u^fy(r-  r ')  nil 

or 

(VX)[r <X  ^  r'<X]  and 
unify[r,  r')  =  nil 

for  all  ^-expressions  r  and  r'. 

The  required  condition  (*)  and  consequent  of  the  induction  hypothesis  are  identical  if  we  take 
r  to  be  l ,  r'  to  be  £' ,  and  0  to  be  unify(l,l').  Therefore,  we  can  satisfy  the  conclusion  if  we  can 
establish  the  appropriate  instance  of  the  induction  hypothesis’s  antecedent,  i.e., 

(I,  £')  -<un  (/  •  l,  f  •  l).  ( application  ordering) 

The  well-founded  ordering  -*<un  will  be  chosen  subsequently.  Assuming  it  will  satisfy  this  condition, 
we  have  found  that  the  desired  conclusion  P(f  •  t,  f  •  £’)  in  this  case  is  satisfied  if  we  take  8  to  be 
unify[l,l'). 


Case  (distinct):  s  and  s'  are  functional  expressions  /  •  l  and  f  •  £',  respectively,  where  /  ^  f . 

In  this  case,  we  can  show  that  /  •  t  and  /'  •  (!  are  not  unifiable.  For  any  arbitrary  substitution 
X,  we  have  (by  the  application  property  of  the  apply  function) 

(/  •  o  -  X  =  /.(£«x) 

and 

=  /'*(£'*X). 

Because  /  and  f  are  distinct,  we  have  (by  the  uniqueness  properties  of  ^-expressions), 

/•(£■«  X)  jL  f  •  (£'  X), 

and  hence 


(/•£)*X  ^  (/'  •  £')  *  X. 
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Thus,  f  •  l  and  /'  •  l'  are  not  unifiable. 


Therefore,  we  can  satisfy  the  second  disjunct  of  the  desired  conclusion,  in  this  case,  if  we  take 
9  to  be  nil. 


unify(f  •  t,  f  •  l')  =  nil  if  f  ^  f 


LIST  CASES 

In  all  of  the  list  cases,  s  and  s'  are  nonempty  lists  tom  and  t'  o  m' ,  respectively,  where  t 
and  t'  are  ^-expressions  and  m  and  m'  are  lists  of  ^-expressions. 

Recall  that  (in  the  list  cases)  we  are  attempting  to  prove  the  conclusion 

P(t  o  m,  t'  o  m'); 

i.e.,  we  want  to  find  an  output  9  such  that 
(t  o  m)  ■*  9  —  (t1  o  m')  *  9  and 

(VX)[i/  (t  o  rn)  -*X  =  (('  o  m')  ■*  X  then  0  >r9en  X]  and 

8  —  9  O  9  and 

9  ^  nil 

or 

(VX)[(t  om)-<X  ^  (J'o  m')  <  X]  and 
9  =  nil. 


By  the  Insertion  Unifier  Proposition,  this  decomposes  into  finding  9  such  that 


(*) 


(1)  t  +  9  =  t'  -*0  and 

(2)  m-»9  =  m'  +  9  and 
if  (fom)<X  =  [t1  o  m')  •«  X 
then  9  >gtn  X] 

(4)  9  —  9  O  8  and 

(5)  8  ^  nil 


(3)  (VX) 


and 


or 

(6)  (VX)(t  +  X  7^  t' ■*  X  or  m<X^m'<X]  and 

(7)  9  =  nil. 


(head  unifier) 
( tail  unifier) 

(most-generality) 

(idempotencc) 
( nonnil ) 


(ununifiability) 

(nil) 


The  separate  conditions  of  (*)  are  numbered  for  future  reference.  We  attempt  to  establish  conditions 
(1)  to  (5)  or,  alternatively,  conditions  (6)  and  (7). 

Recall  that  we  have  assumed  a3  our  induction  hypothesis  (in  this  case) 

P(r,  r')  :  i if  (r,  r')  <un  (t  o  m,  t'  o  m') 
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r  unify[r,  r')  =  r'  ■*  unify[r,  r')  and 
(VX)[i/  r-«X  =  r'«X  then  unify(r,r')  >gen  X]  and 
unify(r,  r')  =  unify(r,  r')  O  unify(r,  r')  and 
then  unifyir> r>)  7^  nil 
or 

(VX)[r  •«  X  7^  r'  ■*  X]  and 
unif^r,r')  —  nil 

for  all  /-expressions  r  and  r'. 

Let  us  compare  this  induction  hypothesis  with  our  required  conclusion  (*).  A  natural  approach 
would  be  to  observe  that  one  of  the  first  two  conditions,  say  the  tail  unifier  condition  (2), 

m-*0  =  m'  +  0, 

is  identical  to  the  condition  that 

r  •*  unify(r,  r')  —  r'  ■*  unify(r,  r'), 

asserted  in  our  induction  hypothesis,  if  we  take  r  to  be  m,  r'  to  be  m',  and  0  to  be  unify(m,  rn'). 
However,  we  still  would  have  to  show  the  head  unifier  condition  (1), 

t-*0  —  t'  -0, 


i.e., 

t  unify(m,  m')  =  t'  +  unify[m,  m'). 

But  this  condition  is  not  necessarily  true:  a  unifier  of  m  and  m'  need  not  be  a  unifier  of  t  and 
Therefore,  we  would  fail  to  prove  the  condition. 

An  attempt  to  do  the  same  for  the  head  unifier  condition  (1), 
t  +  6  =  t'  <9, 


would  fail  for  the  same  reason;  these  two  required  conditions  are  symmetric. 

A  less  straightforward  approach  is  to  observe  that  one  of  the  first  two  conditions,  say  the  tail 
unifier  condition  (2), 

m  +  9  =  m'  +  6, 


is  also  equivalent  to  the  same  condition  of  the  induction  hypothesis 
r  +  unify(r,  r')  =  r'  ■*  unify(r,  r1) 
under  a  more  complex  substitution  than  we  considered  earlier. 
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proof  of  the  tail  unifier  condition  (2): 

Recall  the  definition  of  the  composition  of  substitutions 
m*  (9hd  O  9,t)  =  (m*  -  9hd)  <  0tl 

for  all  ^-expressions  m*  and  substitutions  9hd  and  9,,.  (We  have  renamed  the  variables  to  reflect 
how  we  intend  to  use  them.) 

Applying  this  equality  to  the  left-hand  side  of  our  required  condition 
m-<9  =  m'  -*9 

(taking  m*  to  be  m  and  0  to  be  9^d  O  9ti)  we  obtain  the  condition 
(m  ■«  0hd)  •«  9U  =  rn'  *  (9hd  O  9tl). 

Applying  the  same  equality  to  the  right-hand  side  (taking  m*  to  be  m')  yields  the  condition 

(m  •»  9hd)  •*  9a  =  (m1  -  0kd)  ■*  9„. 

This  condition  is  identical  to  the  condition  in  our  induction  hypothesis 
r  +  umfy(r,  r')  =  r'  +  umfy{r,  r') 

if  we  take  r  to  be  m<9dd,  r'  to  be  m'  +9hd,  and  9ti  to  be  unify(m  ■"  0hd,  m'  +  0hd). 

Let  us  retain  the  abbreviation  9,i  for  the  term  unify(m+9hd,  m'  -*0hd).  Thus,  the  above  match 
has  suggested  taking 

9  to  be  0hd  O  9,i, 

where 

9,i  is  umfy(m  +  9hi,  m' -*0Hd) 
and  9hd  is  any  substitution. 

Let  us  rewrite  the  induction  hypothesis  for  this  case,  making  the  substitutions  suggested  by 
the  above  match: 

if  (m*  0hd,  rn'  ■*  9hd)  < «n  (f  °  m,  t'  o  m ') 

'(m  •«  9hd)  ■*  9a  =  (m'  ■«  9hd)  ■*  9ti  and 

(V\)[if  (m  +  Bhd)*^  =  [m1 +  9hd)-«\  then  0tf>:9enXj  o.nd 

9,i  =  9„  O  9,i  and 

then 

or 

(VX)((m  •*  9hd)  ^  (m'  ■*  9hd)  ■*  X)  and 

9,i  =  nil 
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We  will  refer  to  this  as  the  tail  induction  hypothesis. 


To  apply  this  tail  induction  hypothesis,  we  must  establish 

•  the  antecedent 

(8)  (m-*0hd,  m'  <6hd)  ~<un  (t  o  m,  t'  o  m'),  (tail  ordering) 

to  ensure  that  the  consequent  of  the  tail  induction  hypothesis  will  be  true; 

•  the  condition 

(9)  0(1  7^  nil,  (tail  nonnil) 

to  ensure  that  the  second  disjunct  of  the  consequent  of  the  tail  induction  hypothesis  will 
be  false,  so  that  the  first  disjunct  must  be  true. 

Regardless  of  the  choice  of  0ha%  this  will  establish  the  tail  unifier  condition  (2)  of  the  required 
conclusion  (»).  We  must  also  establish  the  head  unifier  condition  (t),  the  most  generality  condition 
(3),  and  the  idcmpotcnce  condition  (4),  where  0  is  taken  to  be  OhdOOa.  We  know  0hd<>0a  will 
satisfy  the  nonnil  condition  (5),  since  any  substitution  is  distinct  from  nil.  In  cases  where  we 
fail  to  establish  one  or  more  of  these  conditions,  we  can  alternatively  attempt  to  establish  the 
ununijiability  condition  (G)  and  the  nil  condition  (7)  of  the  required  conclusion  (*),  taking  0  to  be 
nil. 


We  consider  these  conditions  one  by  one,  but  not  in  the  given  order. 
proof  of  the  head  unifier  condition  (1): 

We  must  find  a  substitution  Ohd  such  that  Ohd  O  0(i  is  a  unifier  of  t  and  £';  i.e.,  that 

t  *  (Ohd  O  Ou)  =  t'  •*  (Ohd  O  Oa), 

or,  equivalently  (by  the  definition  of  composition),  that 
(L  *  Ohd)  +  0a  =  (£'  Ohd)  •*  0(i- 
It  thus  suffices  to  find  Ohd  such  that 


t-*0hd  =  t'  ■*  Ohd- 


We  observe  that  the  above  condition  is  identical  to  the  condition  that 
r  +  unify(r,  r')  =  r'  <  unify{r,  r'), 

asserted  in  our  induction  hypothesis,  if  we  take  r  to  be  t,  r'  to  be  t'  and  Ohd  to  be  unify(t,  t').  We 
retain  the  abbreviation 


Let  us  rewrite  the  induction  hypothesis  for  this  case,  making  the  substitutions  suggested  by 
the  above  match: 

»/  (*,  t')  <U  n  {tom,  t'  om') 
t  0hd  ---  t'  ■*  9, id  and 

(VX)(i/  t*\  =  t'  then  9hd  >;ge„  X]  and 
0;ld  =  9>ld  O  Ohd  and 
then  Ohd  7^  ni^ 
or 

(VX)(£  -«  X  7^  £'  •<  Xj  and 
.Ohd  =  nil 

We  will  refer  to  this  as  the  head  induction  hypothesis. 

To  apply  this  head  induction  hypothesis,  we  must  establish 

•  the  antecedent 

{ t ,  t')  -<un  {to  m,  t'  o  m'),  ( head  ordering) 

to  ensure  that  the  consequent  of  the  head  induction  hypothesis  will  be  true. 

•  the  condition 

9hd  5^  nil  (head  nonnil) 

to  ensure  that  the  second  disjunct  of  the  consequent  of  the  head  induction  hypothesis  will 
be  false,  so  that  the  first  disjunct  must  be  true. 

As  usual,  we  defer  discussion  of  the  head  ordering  condition,  that 
(t,  t')  (t  om,  t'  o  m'), 

until  we  have  accumulated  all  such  conditions,  so  that  we  can  define  an  ordering  -<un  to  satisiy 
them  all  at  once. 

The  head  nonnil  condition  0hd  7^  nil  is  not  necessarily  true:  t  and  t'  need  not  be  unifiable. 
Let  us  now  consider  the  alternate  possibility. 

Case(no)-.  d^d  =  nil. 

Then,  by  our  head  induction  hypothesis,  t  and  t'  are  not  unifiable;  i.e., 


t  +  \  ^  t'  ■+  X 
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for  all  substitutions  X.  Therefore,  we  can  satisfy  the  ununifiability  condition  (6)  and  the  nil 
condition  (7)  of  the  required  conclusion  (*),  in  this  case,  by  taking  0  to  be  nil. 


unify(t  o  m,  t'  o  m1)  —  nil  if  Q^d  ~  nil 


Case:  0hd  7^  nil. 

That  is,  unify(t,  t')  ^  nil.  In  this  case,  our  head  induction  hypothesis  establishes  that  0^d 
is  indeed  a  most-general,  idenipotcnt  unifier  of  t  and  t1 ,  and  therefore  the  head  umjicr  condition 
(1)  is  satisfied.  It  remains  to  show  the  tail  ordering  condition  (8)  and  the  tail  nonnil  condition  (9); 
these  conditions  ensure  that  we  can  apply  the  tail  induction  hypothesis  to  establish  the  tail  unifier 
condition  (2)  of  the  required  conclusion  (*).  It  also  remains  to  show  the  original  mosi  generality 
condition  (3)  and  idempotence  condition  (4).  As  usual,  we  assume  that  wc  can  establish  the  tail 
ordering  condition  (8),  and  defer  its  proof. 

proof  of  the  tail  nonnil  condition  (9): 

The  condition  that  0U  yck  nil,  i.e.,  unify(m  •«  0^d,  m'  +  O^d)  7^  nil,  is  not  necessarily  true: 
m-*0hd  and  m'  -<0hd  need  not  be  unifiable.  Let  us  consider  the  alternate  possibility. 


Subcase  (yes-no):  On  —  nil. 

That  is,  unify(m  ••  Ohd,  nz'^Ohd)  =  nil.  Then,  by  our  tail  induction  hypothesis  (where  r  and 
r'  were  taken  to  be  m  +  0hd  and  m'  •*  0hd  ,  resoectively),  m-»0hd  and  m'-0hd  are  not  unifiable, 
i.e., 


(rn  *  0hd)  ■*  X  ^  (m'  -*  0hd)  t  X, 

for  all  substitutions  X.  We  establish,  in  this  case,  the  ununifiability  condition  (6),  that  (VX)[f -*X  y£ 
t'-«X  or  m  ■*  X  7^  m'  ■*  Xj.  For  suppose,  to  the  contrary,  that,  for  some  substitution  X, 

t-*\  =  t'  *\, 

i.e.,  X  is  a  unifier  of  t  and  t' ,  and 
m  =  ml  <X, 
i.e.,  X  is  a  unifier  of  m  and  m' . 

Because  X  is  a  unifier  of  t  and  t',  and  because  0hd  is  a  most-general,  idempotent  unifier  of  t 
and  t' ,  we  have  (by  the  Most-General,  Idempotent  Unifier  Proposition) 


Hence,  because  X  is  a  unifier  of  rn  and  m',  i.e.,  m  <  X  =  m'  ■*  X,  we  have 
w*(0adOX)  =  m^l^uOX), 
or  equivalently  (by  the  definition  of  composition) 

(rn  •*  dhd)  •*  X  =  (m‘  *0hd)  ■*  X. 

i.e.,  X  is  a  unifier  of  rn  +  0hd  and  m'  9 hd  .  But  this  contradicts  our  earlier  finding,  that  m  +  9hd 
and  m'  +  0hd  are  not  unifiable.  Hence,  the  ununifiability  condition  (6)  is  established  and,  in  this 
case,  we  can  establish  the  required  conclusion  (*)  by  taking  9  to  be  nil. 

I  unify(t  o  m,  t'  o  m')  —  nil  if  9hd  5^  nil  and  0t  1  =  nit 


Subcase  (yes-yes):  0ti  ^  nil. 

That  is,  the  tail  nonnil  condition  (9),  that  unify(m+0hd,  m'  <9hd)  ^  nil,  is  true.  Let  us  again 
retrace  our  steps,  to  see  what  we  have  established. 

Since  we  have  assumed  the  tail  ordering  condition  (8),  we  know  that  the  consequent  of  the  tail 
induction  hypothesis  is  true  (where  r  and  r'  were  taken  to  be  m-9hd  and  m'-9hd  ,  respectively.) 
Because  (in  this  case),  the  tail  nonnil  condition  (9)  is  true,  we  know  that  the  second  disjunct  of  the 
consequent  is  false,  and  therefore  that  the  first  disjunct  must  be  true.  This  implies  that  9ti  is  a 
most-general,  idernpotent  unifier  of  m-*0hd  and  rn'  •<  Ohd  ,  and  hence  (by  applying  the  definition 
of  composition  twice)  that  9hd  O  0ti  is  a  unifier  of  m  and  m'.  This  establishes  the  tail  unifier 
condition  (2),  which  was  our  reason  for  applying  the  tail  induction  hypothesis  in  the  first  place. 


proof  of  the  most- generality  and  idempotence  conditions  (3  and  4): 

It  still  remains  to  show  the  most- generality  condition  (3), 

(VX)[i/  (t  o  m)  ■«  X  —  (f'  o  m')  ■*  X  then  (9hd  O  0ti)  >gtn  X] 
and  the  idempotence  condition  (4),  that 
9hd  O  Qti  =  ( Ohd  O  Ott)  0(0 hd  O 


For  this  purpose,  it  suffices  (by  the  Most-General,  Idernpotent  Unifier  Proposition)  to  show 
the  single  condition  that 


(VX)[  ^  ((  0  m)  X  =  (*'  0  m')  *  X 
.then  X  =  (Ohd  O  6ti)  O  X 
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i.e.  (by  the  Insertion  Unifier  Proposition), 
(VX) 

Suppose  that  X  is  an  arbitrary  substitution 


if  t  +  \  —  t'  +  \  and  m  +  \ 
then  X  =  (Ohd  O  9ti)  O  X 


=  m'  X 

such  that 


t  ■*  X  =  t'  ■*  X 


and 


m  ■«  X  =  m'  ■«  X. 


We  would  like  to  show  that  then 
X  =  (Ohd  O  0ti)  O  X. 


Because  X  is  a  unifier  of  t  and  t' ,  and  because  Ohd  is  a  most-general,  idempotcnt  unifier  of  t 
and  t',  we  have  (by  the  Most-General,  Idempotent  Unifier  Proposition,  again)  that 

X  =  Ohd  ^  X. 

Therefore,  because  m<X  =  m'<Xwe  have 
m*(0hd<>\)  =  m'<(»u«X), 
i.e.  (by  the  definition  of  composition), 

("i  •«  Ohd)  •*  X  =  (m' •*flhd)'*X. 

In  other  words,  X  is  a  unifier  of  m+Ohd  and  m'  +  0hd- 

But  then,  because  0tt  is  a  most-general,  idempotent  unifier  of  m<0hd  and  m'  ■•Ohd,  we  have 
(by  the  Most-General,  Idempotent  Unifier  Proposition,  yet  again)  that 

X  =  0tlO  X. 

Therefore, 

X  =  Ohd  O  X  =  0hd  O  (Ou  O  X)  =  (Ohd  O  &ti)  O  X. 

In  short,  we  obtain  the  condition, 

X  =  (Ohd  O  On )  O  X, 
that  we  wanted  to  show. 
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We  conclude  that  O  satisfies  the  moat- generality  condition  (3)  and  the  idempotence 
condition  (4)  of  the  required  conclusion  (*),  and  thus  in  this  case  we  are  justified  in  taking  $  to  be 
&Kd  O  Oti- 


unify(t  o  m,  t'  o  m')  =  O^d  O  9ti  if  ^  nil  and  0ti  7^  nil 


This  concludes  the  final  case. 


THE  ORDERING 


i 


We  have  deferred  the  choice  of  an  ordering  -<un  to  satisfy  the  ordering  conditions  we  have 
accumulated  during  the  proof.  The  choice  of  this  ordering  is  not  so  well- motivated  formally  as  the 
other  steps  of  this  derivation.  The  ordering  conditions  to  be  satisfied  by  are  as  follows: 

the  application  ordering  condition 

(1,1'Xun  (/•<,/•*). 

the  head  ordering  condition 

{t,  t')  {tom,  t'  o  m'), 
and  the  tail  ordering  condition 

{m  ■*  9hd,  m!  -  9hd)  <un  {to  m,  t'  o  m') 

for  all  function  symbols  /,  lists  of  expressions  £  and  £',  ^-expressions  t  and  t',  and  lists  of  t- 
expressions  m  and  m',  where  0^d  ^  nil,  i.e.,  unify(t,  t')  ^  nil. 

It  would  be  natural  to  attempt  to  use  as  the  definition  of  the  subexpression  ordering 
on  one  of  the  two  arguments.  However,  if  we  take  -<un  to  be,  say,  the  ordering  ~<i  on  the  first 
argument,  defined  by 

(r,  r')  -«!  (s,  s') 
if  and  only  if 


r  -4  8, 

it  will  satisfy  the  first  two  of  these  conditions,  and  will  satisfy  the  third  condition  in  the  case  that 
m+9hd  —  tn.  However,  this  ordering  may  fail  to  satisfy  the  third  condition  if  m-dO^d  m,  because 
m  ■*  may  no  longer  be  a  subexpression  of  t  o  m,  and  may  in  fact  be  much  larger.  For  example, 
if 


1  is  z 
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t'  is  g{a,y,b) 

and 

m  is  [f(x,  x,  x)\, 
m'  is  [z\ 

then 

torn  is  [x,  f(x,  x,  x)] 
t'om’  is  [g(a,y,b),  z\. 

In  this  case 

Ohd  is  {x  <-  g(a,  y,  b)} 

and 

rn  +  Ohd  is  [f(g{a,  y,  b),  g{a,y,b),  ff(a,j/,6))) 
m!  ■*  Ohd  is  [*]. 

Thus,  m+Ohd  is  not  a  subexpression  of  tom. 

In  the  case  that  m  •*  Ohd  7^  m,  however,  it  can  be  shown  that  the  variables  of  m  ■«  Bhd  and 
m'  +  0hd  are  a  proper  subset  of  the  variables  of  t  o  m  and  t'  o  m1;  i.e., 

vars(m  <  Ohd)  U  vars(m'  •*  0hd)  C  vars(t  om)U  vars{t'  °  m'). 

In  other  words,  Ohd  removes  variables  from  m  and  m'  without  introducing  any  that  are  not  in  tom 
or  t'  om'.  Thus,  the  ordering  defined  by 

[r >  r  )  Xvo TS  { Sl  S  ) 

if  and  only  if 

vars(r)  U  uars(r')  C  vars(s)  U  vars(s'), 
will  satisfy  the  tail  ordering  condition  in  this  case.  Thus,  in  the  above  example, 
vara(m  •«  0hd)  U  vara(m'  +  Ohd)  =  {v,  *} 


and 


vars(t  o  m)  U  vars(t'  o  m’)  =  { x ,  y,  z), 
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and  hence 

{m«$hd,  m' +  8hd)  -<vars  (tom,  t'om'). 

However,  this  ordering  will  fail  to  satisfy  the  first  two  conditions  of  and  will  also  fail  to 
satisfy  the  third  condition  in  the  case  that  m-*6h.d  =  m  and  m'  -*0h.d  =  »»'.  For  example  (by  the 
application  property  of  vars), 

vars(t)  =  vars(f  •  £) 
vars(i')  =  vars(f  •  //) 

and  hence 

vars(t)  U  oars(£')  =  vars(J»()\Jvars(f»l'), 

i.e., 

not  [((,(')  <va,s  (f  •£,  f  •£')]. 

In  other  words,  the  first  condition,  (t,  £')  -<un  (/  •  £,  f  •  £'),  is  never  satisfied  under  the  -<„ars 
ordering. 

The  successful  ordering  is  a  lexicographic  combination  of  these  two  orderings  -<„ors  and 
-4i,  defined  by  the  property 


•  To  see  that,  under  this  definition,  the  application  ordering  condition, 

(t,t')<un  {/•/,/•*'), 

is  satisfied,  note  that  (as  we  mentioned  above) 

vars(£)  U  vars(l')  =  vars(f  •  t)  U  vars(f  •  l') 
and  (by  a  component  property  of  -<) 

/-«/•<. 
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Hence,  by  the  definition  of  the  ordering  -<un,  the  application  ordering  condition  is  indeed  satisfied. 

•  To  sec  that,  under  this  definition,  the  head  ordering  condition, 

(t,  t1)  {tom,  Com1), 

is  satisfied,  note  that  (by  the  insertion  property  of  vars) 

vars(t)  C  vars(t)  U  vars(m)  =  vars(t  o  m) 
vars(t')  C  vars(t')  U  vars(m')  =  vars(t'  o  m'), 

and  hence 

vars(t)  U  vars(t')  C  vars(t  o  m)  IJ  vars(t'  o  m'). 

In  case  the  inclusion  is  proper,  i.e., 

vars(t)  U  vars(t')  C  vars(t  om)U  vars[i'  °  m'), 

we  have 

( t ,  t ')  -<un  ( t  O  m,  t'  O  m') 

immediately.  On  the  other  hand,  if  the  two  sets  are  equal,  i.e., 
vars(t)  U  vars(t')  =  vars(t  o  m)  U  vars{t'  o  m'), 
we  note  that  (by  a  component  property  of  -<) 
t  -4  tom. 

Hence,  by  the  definition  of  the  ordering  -*<ttn,  the  head  ordering  condition  is  also  satisfied  in  this 
case. 

•  Finally,  we  must  show  that  the  tail  ordering  condition, 

(m  •*  6hd,  m'  +  Bhd)  <un  {t  »  m,  t'  o  m'), 
is  satisfied,  where  $hd  =  unify(t,  t ')  7^  nil.  First,  we  have 
vars(m  ••  0 m)  U  ^;ors(m,  <  9hd) 

C  var8(m)  U  range($kd)  U  vars(m')  U  range{0hd) 

by  the  Variable  Introduction  Proposition 

=  var8{m)  (J  var8(m')  U  range(0^d) 

C  vars(m )  U  vars{m')  U  vars[t)  U  vara(t') 
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by  the  Domain  and  Range  Proposition, 
because  d^d  is  a  most-general,  idempotent  unifier  for  t  and  t' 

=  vars(t  o  m)  U  vars(t'  o  m') 

by  the  insertion  property  of  vars 

In  short, 

vars(m<dhd)Dvars(m' ^dhd)  C  vars(t  o  m)  U  vars(t'  o  m'). 

By  the  definition  of  the  ordering  -<un  ,  we  must  either  show  that  this  inclusion  is  proper,  i.e., 
(*)  vars(m  •«  6hd)  U  vars(m'  ■«  9hd)  C  vars(t  o  m)  U  vars(t'  o  m'), 

or  show  that 

(**)  m  •*  0hJ  -4  tom. 


For  this  purpose,  we  distinguish  between  two  subcases. 


Subcase:  m  ■*  O^d  =  m. 

Then  (by  a  component  property  of  -<) 

m  *  0hd  —  m  -<  t  o  m. 


Subcase :  m  +  Ohd^m. 

In  this  case,  we  will  show  (*),  that  the  inclusion  is  ^per,  i.e., 

vars(m*Ohd)Uvars(m'  -*8^)  C  vars(t  o  m)  U  vars[t'  o  m'). 

We  have  already  shown  the  C  inclusion;  therefore,  it  suffices  to  show  the  existence  of  a  variable  z 
such  that 

(t)  z  £  vars(t  o  m)  U  vars{t'  o  m') 

but 


(tt)  z  &  vars{m  +  6kd)  U  vars(m' *  0hd). 


First,  because  m  +  Ohd  7^  n*>  we  know  (by  the  Invariance  Corollary)  that 
vars(m)  fl  dom{Bhd)  ^  {}, 
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there  is  a  variable  z  such  that 


z  £  vars(m) 


z  £  dom(6hd). 

We  know  (by  the  insertion  property  of  vars)  that 

vars(m )  C  vars(t)  (J  vars(m)  =  vars(tom). 

Then,  because  z  £  vars(m),  we  have  the  desired  property  (|), 
z  £  vars(t  o  m)  IJ  vars(t'  o  m'). 

Next,  because  O^d  is  idcmpotcnt,  we  have  (by  Idempotence  Proposition) 
dom{Ohd)  f~l  range(Ohd)  =  {}, 
and,  thus,  because 


we  have 


z  £  dom(Ohd), 


z  $  rangc(0hd)- 


It  follows  (by  the  Variable  Elimination  Proposition)  that 
z  $  varslm-^Ohd) 


z  #  vars(m'  ■•Oh.d), 


and  hence 


z  $  vars(m  +  0*,,*)  U  vars(m'  ■*  $hd)- 

This  is  the  desired  property  (ft).  We  have  thus  established  the  proper  inclusion 
t/ars(m  +  9\d)  U  vars{m'  ■*  0hd)  C  vara[t  o  m)\J  vars(t' o  m'). 

In  both  subcases,  we  can  conclude  that 

[m  *  Ohd,  m'  +  6hd)  ■<  un  (i  o  m,  t'  o  rri). 


Thus,  the  tail  ordering  condition  for  -<ttn  is  satisfied. 
This  concludes  the  entire  derivation  proof.  | 


ALTERNATE  DERIVATIONS 


We  have  followed  only  one  proof  of  the  specification  of  the  desired  theorem.  Had  we  followed 
other  proofs,  different  programs  would  have  resulted.  For  example,  in  the  list  cases  of  the  above 
derivation,  we  first  matched  the  tail  unifier  condition  m+9  =  m'-*9  against  the  induction  hypothesis 
(after  applying  the  definition  of  composition);  had  we  instead  matched  the  symmetric  head  unifier 
condition  t  +  0  —  t'  <0,  another  proof  would  have  been  obtained,  and  the  list  cases  of  the  resulting 
program  would  have  been  as  follows: 

let  0tl  —  unify(m,  m1) 
if  0tl  =  nil 

then  unify(t  o  m,  t'  o  m')  =  nil 
else  let  0hd  —  unify[t  +  9a,  t'  -*0tl) 
if  9*hd  =  nil 

then  unify(t  om,  t'  o  m')  =  nil 

$  $ 

else  unify[t  om,  t'  o  m')  =  0tl  O  0hd. 

This  program  will  also  satisfy  the  same  specification  as  the  original  program  but,  because  it 
examines  the  list  from  right  to  left  rather  than  left  to  right,  it  may  produce  a  different  most-general, 
idempotent  unifier. 

In  general,  by  exploring  different  branches  of  the  proof  tree,  we  may  obtain  families  of  different 
unification  algorithms  analogous  to  the  families  of  different  sort  programs  obtained  from  a  single 
specification  by  Clark  and  Darlington  [1980].  The  particular  derivation  we  obtained  did  not  take 
the  efficiency  of  the  final  program  into  account.  Other  branches  of  the  derivation  tree  lead  to  more 
efficient  unification  algorithms. 


AUTOMATION  OF  THE  PROOF 


Our  primary  objective  in  examining  the  above  derivation  in  such  detail  is  to  consider  the 
computational  pr  erequisites  for  discovering  the  proof  automatically.  Let  us  review  the  proof  from 
this  point  of  view. 

The  first  requirement  of  a  theorem-proving  system  for  program  synthesis  is  that  it  be  able 
to  prove  theorems  that  contain  existential  quantifiers  and  that  require  mathematical  induction. 
Existential  quantifiers  are  necess*.  -y  to  transform  the  specification  into  a  theorem,  and  induction  is 
necessary  to  introduce  repetitive  constructs  into  the  target  program.  Although  resolution  theorem 
provers,  say,  can  prove  theorems  with  existential  quantifiers,  and  several  theorem  provers  ( e.g 
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Boyer  and  Moore  [1975],  Iluet  and  Hullot  [1980])  can  do  proofs  by  induction,  it  is  rare  to  see  these 
abilities  combined. 

The  amount  of  knowledge  about  ^-expressions  and  substitutions  necessary  to  produce  the 
above  proof  is  formidable.  If  such  knowledge  were  built  into  the  system,  the  system  would  then 
be  specially  tailored  to  this  subject  domain,  and  would  loose  generality.  On  the  other  hand,  if  the 
knowledge  were  provided  to  the  system  as  a  set  of  axioms,  the  system  would  also  need  to  know 
how  to  use  the  knowledge  efficiently. 

Much  of  the  derivation  proof  is  fairly  mechanical.  At  each  stage,  one  must  decide  which 
property  to  apply  next,  from  a  finite  collection  of  legal  next  steps.  However,  certain  steps  are  not 
straightforward,  and  arc  motivated  only  by  their  ultimate  success.  For  example,  in  the.  list  cases, 
the  straightforward  use  of  the  induction  hypothesis  failed,  but  the  application  of  the  definition  of 
composition  allowed  us  to  use  the  induction  hypothesis  in  a  more  general  way,  and  resulted  in  the 
introduction  of  the  composition  d^d  O  Ou  in  the  final  program. 

In  finding  the  well-founded  ordering  the  use  of  the  sets  vars(s)  and  vars(s')  of  variables 
in  the  ^-expressions  s  and  s'  was  not  suggested  by  the  specification,  which  makes  no  reference  to 
this  notion. 

The  idempotence  condition  0  =  0  O  B  was  included  in  the  initial  specification.  This  condition 
played  a  vital  part  in  the  proof;  however,  the  unification  algorithm  would  be  equally  useful  without 
this  property.  Had  the  idempotence  condition  not  been  required  initially,  it  or  an  equivalent 
condition  would  have  had  to  be  invented  and  added  to  the  specification  in  the  middle  of  the  proof. 

Even  with  the  idempotence  condition  provided,  the  proof  seems  somewhat  more  difficult  than 
current  theorem-provers  can  produce.  Our  hope  is  that  studying  hand  derivations  of  this  sort  will 
enable  us  to  improve  the  power  of  automatic  systems. 


INTERACTIVE  SYNTHESIS 


Although  the  above  proof  may  be  beyond  the  power  of  current  automatic  systems,  a  partially 
interactive  system  could  be  used  to  produce  it  with  known  techniques.  This  approach  requires 
more  human  effort,  but  it  still  would  convey  many  of  the  benefits  of  automatic  synthesis: 

•  The  person  would  provide  those  steps  that  require  cleverness  but  the  system  would  take  care 

of  the  routine  details. 

•  Whatever  mistakes  the  person  might  make,  the  system  would  not  permit  him  to  produce  a 

program  that  did  not  meet  its  specification. 

•  The  program  would  be  accompanied  by  a  full  proof  of  its  correctness. 

•  The  derivation  could  be  retained,  so  that  if  the  program  needed  modification,  the  appropriate 

portions  of  the  program  could  be  updated  without  endangering  its  correctness. 
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•  The  assumptions  on  which  the  correct  operation  of  the  program  depends  would  be  made 
explicit. 

Of  course,  for  an  interactive  system  to  be  successful,  it  would  have  to  communicate  in  terms 
the  person  would  be  able  to  understand. 
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